Analysis
-
max time kernel
55s -
max time network
57s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
23/04/2023, 20:59
Static task
static1
General
-
Target
b53a92ac4b71d7b18e9d2435caff12da72ba8b0eac6c53b83b8bb6fed4d9fa98.exe
-
Size
563KB
-
MD5
e62feeff0dd7207a703bee77d9e08521
-
SHA1
41b99e619c1331a8a4d46c943f718e4ef82cb7f4
-
SHA256
b53a92ac4b71d7b18e9d2435caff12da72ba8b0eac6c53b83b8bb6fed4d9fa98
-
SHA512
b9946fa8e9179d7a109401f5d2096986ffc87823ec80afaa25b5aeec56d608e098e95dc626a6c8568cc1555308a56c12058ac337b71a07eac97cc15cc2ed6078
-
SSDEEP
12288:iy907RwsOwMeFGTQqMilTdDII8IhEH2WBCeizKmf/XI:iyI+sOwMUqjXDIrwK2eIzKmHI
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it974903.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it974903.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it974903.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it974903.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it974903.exe -
Executes dropped EXE 4 IoCs
pid Process 1848 zitb9413.exe 4380 it974903.exe 4396 kp771454.exe 1172 lr075071.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it974903.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce b53a92ac4b71d7b18e9d2435caff12da72ba8b0eac6c53b83b8bb6fed4d9fa98.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b53a92ac4b71d7b18e9d2435caff12da72ba8b0eac6c53b83b8bb6fed4d9fa98.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce zitb9413.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zitb9413.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4380 it974903.exe 4380 it974903.exe 4396 kp771454.exe 4396 kp771454.exe 1172 lr075071.exe 1172 lr075071.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4380 it974903.exe Token: SeDebugPrivilege 4396 kp771454.exe Token: SeDebugPrivilege 1172 lr075071.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3536 wrote to memory of 1848 3536 b53a92ac4b71d7b18e9d2435caff12da72ba8b0eac6c53b83b8bb6fed4d9fa98.exe 66 PID 3536 wrote to memory of 1848 3536 b53a92ac4b71d7b18e9d2435caff12da72ba8b0eac6c53b83b8bb6fed4d9fa98.exe 66 PID 3536 wrote to memory of 1848 3536 b53a92ac4b71d7b18e9d2435caff12da72ba8b0eac6c53b83b8bb6fed4d9fa98.exe 66 PID 1848 wrote to memory of 4380 1848 zitb9413.exe 67 PID 1848 wrote to memory of 4380 1848 zitb9413.exe 67 PID 1848 wrote to memory of 4396 1848 zitb9413.exe 68 PID 1848 wrote to memory of 4396 1848 zitb9413.exe 68 PID 1848 wrote to memory of 4396 1848 zitb9413.exe 68 PID 3536 wrote to memory of 1172 3536 b53a92ac4b71d7b18e9d2435caff12da72ba8b0eac6c53b83b8bb6fed4d9fa98.exe 70 PID 3536 wrote to memory of 1172 3536 b53a92ac4b71d7b18e9d2435caff12da72ba8b0eac6c53b83b8bb6fed4d9fa98.exe 70 PID 3536 wrote to memory of 1172 3536 b53a92ac4b71d7b18e9d2435caff12da72ba8b0eac6c53b83b8bb6fed4d9fa98.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\b53a92ac4b71d7b18e9d2435caff12da72ba8b0eac6c53b83b8bb6fed4d9fa98.exe"C:\Users\Admin\AppData\Local\Temp\b53a92ac4b71d7b18e9d2435caff12da72ba8b0eac6c53b83b8bb6fed4d9fa98.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitb9413.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitb9413.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it974903.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it974903.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4380
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp771454.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp771454.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4396
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr075071.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr075071.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1172
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD58c80b06d843bd6a7599a5be2075d9a55
SHA1caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded
-
Filesize
136KB
MD58c80b06d843bd6a7599a5be2075d9a55
SHA1caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded
-
Filesize
409KB
MD56a4d7a4e8dfec16038c2d2abd04a38e5
SHA1fc6777d34180adcc27cb1641a9cebeb14e1e25cb
SHA256e202167e20c6a770066afbdc7209445d2c41b7a6333c7992864e2f6aedd0fce2
SHA512bc78a722e71250e6f354835130d69ae52808bcee9eedeb5ea8f5f30f42426b9aad7b4f442a3c3914279367a813458b25b3abb951cd14f56887ddea18134a1ec1
-
Filesize
409KB
MD56a4d7a4e8dfec16038c2d2abd04a38e5
SHA1fc6777d34180adcc27cb1641a9cebeb14e1e25cb
SHA256e202167e20c6a770066afbdc7209445d2c41b7a6333c7992864e2f6aedd0fce2
SHA512bc78a722e71250e6f354835130d69ae52808bcee9eedeb5ea8f5f30f42426b9aad7b4f442a3c3914279367a813458b25b3abb951cd14f56887ddea18134a1ec1
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
361KB
MD53ea779d7b374a1626bbff7c1da244672
SHA11228f9826f26ce537b45e2ac1f85fa44900eff72
SHA2566ab5a8c6a9fefbb2dee71cd9a050639378362f76765dd92c3f94ca664a9cdcd5
SHA512fdb5395675c7109949f803942f49e9b014031605e9c583add8a34a8345991a652d5f2c6984f40b0b0fbd5a311e7e368ebba033f246a4d9fb4fe26e0a86159bcb
-
Filesize
361KB
MD53ea779d7b374a1626bbff7c1da244672
SHA11228f9826f26ce537b45e2ac1f85fa44900eff72
SHA2566ab5a8c6a9fefbb2dee71cd9a050639378362f76765dd92c3f94ca664a9cdcd5
SHA512fdb5395675c7109949f803942f49e9b014031605e9c583add8a34a8345991a652d5f2c6984f40b0b0fbd5a311e7e368ebba033f246a4d9fb4fe26e0a86159bcb